Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
In today’s technology-driven world, no organization can consider itself secure without a robust Cybersecurity Plan designed by cybersecurity consultants and implemented with the help of cutting-edge cybersecurity tools. Like many industries, aviation faces cybersecurity challenges that can jeopardize flight operations, result in financial and data losses, and even endanger the safety of commercial aircraft and human lives. However, cybersecurity in military aviation remains an “uncharted territory” for civilian cybersecurity firms. For this reason, a clearer understanding of military aviation and its operations is needed so that cybersecurity companies can propose appropriate measures to protect military aviation assets.
The civil aviation industry requires connectivity with the outside world to conduct its operations, which can make it a lucrative target for attackers. As a result, the aviation sector is just as vulnerable to cyberattacks and breaches as any other industry. The massive digital transformation in the aviation industry over recent years has led to heavy reliance on the latest technologies interconnecting airline operations and systems across the entire industry.
However, these remarkable benefits of technological advancement do not come without a cost. The security of complex ground system connections and predictive maintenance in civil aviation is critically important for aircraft safety, airline operations, airline and passenger data, services, reputation, and the financial health of the industry. Cybercriminals, terrorists, and APT groups (cyber threat actors) continue to discover innovative techniques to compromise aviation systems — operationally, financially, physically, and reputationally. Regarding civil aviation cybersecurity in Turkey, the Directorate General of Civil Aviation has prepared and applies a cybersecurity directive to all operators. According to data published by Eurocontrol (a civil-military organization dedicated to supporting European aviation), cyberattacks against the aviation industry are increasing every year. Attack statistics for the last three years are shown below.
According to an article published by independent research firm KonBriefing, 38 cyberattacks were carried out against the aviation sector in February 2023 alone. The data also shows that the most common attack types in 2020, 2021, and 2022 were Ransomware (22%), Data Breach (18.6%), Phishing (15.3%), and DDoS (7.3%).
The introduction of every new technology into the aviation industry effectively expands the existing attack surface that cyber adversaries can exploit. This necessitates regular analysis of the aviation industry’s cyber domain by experts to ensure the security, integrity, reliability, and resilience of aviation industry operations. Given the broad attack surface of the civil aviation industry and the associated consequences of cyberattacks and threats, cybersecurity for the civil aviation sector is generally well understood by commercial cybersecurity firms and organizations such as ICAO (International Civil Aviation Organization). Security measures and protocols should be regularly applied to ensure the cybersecurity of the civil aviation industry.
Cybersecurity for both civil and military aviation cannot be considered separately in the digital realm. NATO experts observe that there are strong interdependencies between the users and stakeholders of civil and military aviation. Any potential cyberattack against the ATM (Air Traffic Management) system would not only impede the safe conduct and management of both civil and military flights, but could also undermine confidence in the overall security and resilience posture of NATO and its member states. As such, any significant disruption to civil aviation carries national security implications, elevating the risks to the next level.
It is also a reality that the operational requirements and cybersecurity needs of military aviation are less well understood by civilian cybersecurity firms, due to the limited availability and disclosure of the technical knowledge required to understand the nature and scope of military operations. For this reason, many militaries around the world have established their own cyber commands staffed by in-house cybersecurity experts. However, not all militaries possess technically sophisticated cybersecurity setups and the expertise needed to address the latest cybersecurity threats.
When it comes to the availability of cutting-edge cybersecurity technology and threat intelligence, they are largely dependent on civilian cybersecurity expertise. Due to these inherent limitations, militaries and military aviation assets have also become targets of cyberattacks worldwide. According to KonBriefing, 34 cyberattacks were reported against military facilities in 26 countries in 2022 — including 15 NATO members such as the USA, UK, Turkey, France, Italy, Germany, Canada, Poland, Finland, Romania, Denmark, and Estonia. The highest number of attacks reported were directed against the military installations of Russia, Italy, the UK, Romania, and Peru.
Unlike civil aviation, the core of military operational assets — including aviation — generally does not require connectivity with the outside world. Most of the attacks mentioned above against military structures targeted systems that were directly or indirectly connected to the outside world for operational reasons. Therefore, fully understanding the entire canvas of military operations at the strategic, operational, and tactical levels — across air, land, sea, space, and cyber forces — is a very broad topic that goes well beyond the scope of this article. Nevertheless, the following paragraphs aim to describe the main components of military aviation, their key cybersecurity concerns, and possible remedial measures.
Aviation assets are in high demand across all branches of the armed forces — land, air, sea, and space. Military aviation assets are not limited to airborne platforms alone. There are other essential installations required operationally to carry out assigned missions. Military aviation and aviation-related assets can generally be grouped into the following main categories, depending on their roles and missions:
It is important to understand that all of these elements rarely operate independently — they are used in various combinations to achieve synergy and to carry out assigned missions efficiently and safely. To operate in synergy, these elements need some form of connectivity to exchange vital information with other assets when necessary. Airborne systems exchange this information mostly via radio frequencies, data links, and SATCOMs operating on frequencies allocated specifically for military use. These are secure against intrusion resulting from common cyberattacks.
However, some of these airborne systems and their associated ground stations (e.g., heavy/light transport & communications aircraft, AEWCs, air-to-air refuellers, navigational services, C2 centers, S&R elements, FIS & ATM services) may require connectivity with external entities for operational necessities and could become vulnerable to cyber threats if appropriate measures are not taken. Additionally, vital military aviation assets and associated equipment frequently require connection to specialized equipment such as test devices, ground terminals, and dedicated tools for pre/post-mission data upload/download, software updates, maintenance, crypto-key exchange, and similar activities. These represent the most vulnerable points for operational assets — and could lead to the compromise of related systems if robust cybersecurity measures and tools are not incorporated. Other operational military aviation assets and systems are isolated from the outside world in a way that renders them relatively secure against common cyber threats.
Today, all military aviation assets — both ground-based and airborne — contain widely used computers, IT/OT systems, and specialized hardware running purpose-built firmware. All electronic devices used in aviation assets are also known as Avionics. According to BAE Systems, avionics is a category of electronic systems and equipment specifically designed for use in aviation (aircraft, space, satellites). Avionics in a typical modern combat aircraft include: engine controls, flight control systems (primary and secondary), navigation, communications, landing gear systems, flight data recorders, lighting systems, threat detection systems, fuel systems, EO/IR systems, weather radar, performance monitoring systems, weapon management systems, mission computers (integrated computing systems), and more. For modern military aircraft to be operable under various operational conditions, avionics systems must be able to communicate with one another securely and efficiently.
Aviation electronics, or avionics, typically use embedded systems that operate either independently or as part of a larger system. In military aviation, embedded systems are essentially user-oriented devices or mini-computers with their own software or operating system based on embedded programming languages such as C/C++. These computers are known as LRUs (Line Replaceable Units). LRUs can be quickly and easily removed from an aircraft without specialized tools, allowing a faulty unit to be replaced with a serviceable one while the defective one goes in for maintenance — ensuring operational efficiency without compromising performance.
Based on the discussion so far, the following conclusions can be drawn:
If we were to categorize the cybersecurity vulnerabilities of avionics designed for high-value, sensitive aviation platforms, they can be grouped into three main categories:
Specification Vulnerabilities
These vulnerabilities are inherent weaknesses that were overlooked or not accounted for during the critical design and development phase of avionics. There may be shortcomings in design specifications, in meeting international military standards, or in specific requirements for compliance with operational protocols. For example, if communication systems are not designed to incorporate national encryption standards or the requirement for secure communication with other operational assets from allied nations, the systems will not only fail to meet operational requirements — they will also be vulnerable to cybersecurity compromise. For this reason, purpose-built interfaces (LRUs) developed for modern military aviation systems must meet very strict national/international military standards (for both wired and wireless communications) to ensure the security of these systems. Specification vulnerabilities can only be addressed during the design and development phase of these systems, and remediation requires continuous input and guidance from cybersecurity experts.
Implementation Vulnerabilities
These vulnerabilities are flaws in the source code of software and firmware developed for aviation systems. Failure to seek the necessary input from operational cybersecurity experts at the right stage can lead to inherent gaps in the software/firmware. These gaps can be exploited to carry out attacks and compromise the security of avionics.
Operational Vulnerabilities
These vulnerabilities are tied to the security culture of the organizations involved in the design/development and subsequent operations of cutting-edge avionics systems. Any flaw that goes undetected due to insecure configurations of avionics or weak/inadequate procedures/SOPs can lead to cybersecurity breaches and compromise the integrity of these systems — which can directly translate into mission failure. These vulnerabilities can be easily prevented if those involved in installing and operating the systems follow robust procedure-based best practices.
It is also critically important for companies involved in the design and development of sensitive aircraft systems and avionics to conduct comprehensive cybersecurity risk assessments and clearly define the attack surface across the entire technical/operational spectrum in order to address all possible vulnerabilities. This requires an in-depth analysis/risk assessment of all assets (hardware + software) in a system, as well as an evaluation of all possible points at which these systems may interface with the outside world (maintenance/operational interfaces, etc.). During this critical phase of designing and developing sensitive avionics systems, it is most appropriate to seek assistance from cybersecurity experts known for their expertise and professionalism in the field.
We live in a world where no digital entity can consider itself safe against ever-evolving cybersecurity threats. Cybersecurity threats targeting the civil aviation sector are generally well understood by cybersecurity professionals and firms operating in the civilian domain. In addressing these threats, the operational requirements of military aviation and their accompanying cybersecurity needs are typically less well understood within civilian cybersecurity sectors. The growing cybersecurity threats targeting military aviation systems and related entities require civilian cybersecurity experts to develop a comprehensive understanding of military aviation — enabling them to provide the most appropriate recommendations and solutions based on the latest cybersecurity trends and countermeasures. Since military aviation systems and avionics are specifically designed to ensure mission success under the most demanding conditions — whether operating in connected or disconnected environments — they require a robust cybersecurity plan at both the design/development and deployment/operations phases. The best cybersecurity measures for sensitive avionics systems can only be achieved through regular guidance, oversight, and recommendations from the best cybersecurity professionals in the field, provided that the necessary technical knowledge is made available to those experts for processing.
Author: Nasim Abbas
You May Be Interested In These
